Anonymous Surfing? Hackers Eavesdropping on Tor

In the news over the last few days has been a story about Wikileaks and where they got their initial documents to post. According to the Wikileaks project page, “WikiLeaks is a multi-jurisdictional public service designed to protect whistleblowers, journalists and activists who have sensitive materials to communicate to the public.”

On Tuesday, Wired.com accused Wikileaks of obtaining their original documents by eavesdropping on the Tor network. The Tor network is a service used to anonymize internet traffic. Supposedly, one of the Wikileaks activists collected documents intercepted on Tor from Chinese hackers and posted a collection of them on the site:

“The activist siphoned more than a million documents as they traveled across the internet through Tor, also known as “The Onion Router,” a sophisticated privacy tool that lets users navigate and send documents through the internet anonymously.”

Wikileaks has since denied the claim, according to an article on The Register:

Assange responded to our inquiries by saying the New Yorker and Wired had each presented a misleading picture, without shedding much light on WikiLeaks use of Tor exit node interception.

The imputation is incorrect. The facts concern a 2006 investigation into Chinese espionage one of our contacts were involved in. Somewhere between none and handful of those documents were ever released on WikiLeaks. Non-government targets of the Chinese espionage, such as Tibetan associations were informed (by us).

If Wikileaks used these documents or not, it would appear from the comment that Wikileaks did in fact intercept documents on the Tor network. This is not the only instance where data has been intercepted from Tor. This leads us to the question, just how safe is Tor?

Let’s take a quick look at Tor. Tor acts as a web proxy. It takes the website that you enter and instead of taking you right to it, Tor encrypts your request and passes your information through a series of nodes around the world, then connects you to the original target. This makes it very hard to backtrack and see where the data came from. The weakness in Tor, and a warning has been posted by Tor regarding this, is that when your data reaches the last exit node, the data is unencrypted. Anyone monitoring this exit node can read your data. Hackers have setup exit nodes and monitor them to intercept passwords, login credentials, credit cards information and in this case, documents.

Because you have no control over the exit node, Tor should not be used to do banking, shopping or anything where you are sending pertinent login credentials or sensitive information. VPN’s or end to end encrypted communications is the best choice for business transactions.

I hear you. I watched one of Moxie Marlinspike’s SSL Strip webcasts a while back and he mentioned that he ran SSL Strip on his Tor Onion exit router.

He then gave the stats of login names, passwords, credit cards, etc that he collected. It was crazy. Because he used SSL Strip, everything was in plain text, even the SSL data. He then said that he discarded them, he just wanted to see if it could be done. But if the good guys have done it, you gotta believe that the bad guys are doing it too…